Share via

Migrating On Prem to Azure, Azure AD replacing On Prem Ad?

Stephen Weber 351 Reputation points
2023-01-24T17:03:14.61+00:00

We are in the process of migrating our resources from On Prem to Azure, We have migrated over our severs to Azure, and also setup an Azure based DC and made that DC the master of all 5 roles. On prem, we have two DCs. Currently we have the local lan connected to Azure via a Meraki router with an VMX100 in Azure to manage the connectivity and we use AD Sync, So when the users login to the on prem network they have scope in the Azure network as well and can access the resources in both on prem and in Azure. Remote users use a VPN to connect to the On Prem network, from which they also have access to Azure.

This is a bit out of my area of expertise so I apologize in advance for the newbe questions.

  1. Can I remove the DC's from the On Prem and just have the users validate through the on prem network into Azure and if so, will there be serious latency issues?
  2. Can I do away with the On Prem AD totally and use just Azure AD in this situation?

thank you.

Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
927 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2023-01-24T19:57:30.9633333+00:00

    Hi,

    1. Can I remove the DC's from the On Prem and just have the users validate through the on prem network into Azure and if so, will there be serious latency issues?

    Yes, you risk to have a latency because the on-premise domain controllers are closest

    If you still on-premise resources , it may be also impacted when you demote on-premise DCs.

    1. Can I do away with the On Prem AD totally and use just Azure AD in this situation?

    You should before migrate all on-premise service to azure to use Azure AD account for authentication instead of on-premise AD user account.

    Once on-premise services migrated or decommissioned , you can use just Azure AD and demote your on-premise domain by following those steps:

    • If you don't have adconnect alreday deployed , install it to ensure the synchronization between on-promise domain and Azure AD to help user to keep the same password , login..ect
    • Turnoff directory synchronisation through adconnect : Turn off directory synchronization for Microsoft 365
    • Demote all domain controllers in your on-premise domain

    Please don't forget to mark helpful answer as accepted

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steskal, John (GE CoreTech & Cyber) 20 Reputation points
    2023-01-24T20:25:01.12+00:00

    This is the wrong view as Azure AD does not support the creation of SIDs and Windows Server is not supported with Azure AD when it comes to group policy, authentication unless you are on windows server 2022, and OUs. ADDS is never going away as long you have servers, and windows integrated auth.

    1 person found this answer helpful.
    0 comments
  2. Tobias Massoth 16 Reputation points
    2023-01-24T21:50:32.5433333+00:00

    Hi Stephen,

    "Can I remove the DC's from the On Prem and just have the users validate through the on prem network into Azure and if so, will there be serious latency issues?"

    • yes, you can demote the DCs, however you should plan (one) additional DC/s on Azure in different Availability Zones or even region for high availability. If you do so, you should consider higher latency because your on-premises workloads and users do not access the local DCs anymore (they do not exist anymore) but your Azure DCs. In case there is nothing left in your on-premises environment anymore, you could migrate the VPN solution to Azure if feasible or make use of Azure P2S VPN or other solutions.

    "Can I do away with the On Prem AD totally and use just Azure AD in this situation?"

    • As already mentioned, as long as you have servers, you will need AD DS. Azure AD does not support GPO or OUs, hence there are restrictions how you can manage your endpoints and users. As part of your transformation journey, you could potentially replace AD DS by Azure AD DS which is a managed AD. There are some limitations that need to be considered, e.g. you cannot make schema updates (required for Exchange) or become Enterprise Administrator or login via RDP, just to name few. However, GPOs are supported.

    Nest regards,

    Tobias

    1 person found this answer helpful.
  3. Limitless Technology 44,766 Reputation points
    2023-01-25T17:01:19.9833333+00:00

    Hello Stephen Weber,

    As long as the migration strategy was planned for all services and objects, it should not be an issue to decommission the on-prem DCs. Since the size of this configuration may depend on the extension of your infrastructure, the best practice would be to create a planned (potential outage) to different departments such as internal support, managers of departments, etc.. in order to verify that everything works ok. On the agreed time and date, (for instance Wednesday at 11am) turn off the on-premise domain controllers, for a test period of 1-2 hours. If no issues have been reported you can proceed with a longer time (1 month turn off) in order to ensure that nothing has been left behind. After that period without issues reported in that area, the systems can be successfully decommissioned.

    '

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.